<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - CloudFuzz: *exploitable* Invalid memory access in WebCore::CachedResourceClientWalker"
href="https://bugs.webkit.org/show_bug.cgi?id=145275">145275</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>CloudFuzz: *exploitable* Invalid memory access in WebCore::CachedResourceClientWalker
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Layout and Rendering
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>koivisto@iki.fi
</td>
</tr></table>
<p>
<div>
<pre>14/05/15 12:15 Drew Yao:
Opening the attached html file in a debug build of WebKit trunk(r184335) with libgmalloc causes a crash.
Process 66512 stopped
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
51 while (m_index < size) {
52 CachedResourceClient* next = m_clientVector[m_index++];
53 if (m_clientSet.contains(next)) {
-> 54 ASSERT_WITH_SECURITY_IMPLICATION(T::expectedType() == CachedResourceClient::expectedType() || next->resourceClientType() == T::expectedType());
55 return static_cast<T*>(next);
56 }
57 }
(lldb) bt
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
* frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
frame #1: 0x00000001056a1822 WebCore`WebCore::CachedImage::notifyObservers(this=0x0000000164586b80, changeRect=0x0000000000000000) + 66 at CachedImage.cpp:314
frame #2: 0x00000001056a2053 WebCore`WebCore::CachedImage::finishLoading(this=0x0000000164586b80, data=0x000000016c3fffc0) + 547 at CachedImage.cpp:436
frame #3: 0x00000001072d5005 WebCore`WebCore::SubresourceLoader::didFinishLoading(this=0x00000001645a2b00, finishTime=0) + 517 at SubresourceLoader.cpp:371
frame #4: 0x0000000106fcb455 WebCore`WebCore::ResourceLoader::didFinishLoading(this=0x00000001645a2b00, (null)=0x0000000164623fe0, finishTime=0) + 53 at ResourceLoader.cpp:562
frame #5: 0x000000010758c03a WebCore`-[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:](self=0x0000000164633ff0, _cmd=0x00007fff9612ca40, connection=0x0000000164639ff0) + 186 at WebCoreResourceHandleAsDelegate.mm:260
frame #6: 0x00007fff95b7a24d CFNetwork`__65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke + 69
frame #7: 0x00007fff95b7a0b1 CFNetwork`-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 232
frame #8: 0x00007fff95b79fb7 CFNetwork`-[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 48
frame #9: 0x00007fff95b7af74 CFNetwork`___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke + 104
frame #10: 0x00007fff95c2e703 CFNetwork`___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 94
frame #11: 0x00007fff95acfcec CFNetwork`RunloopBlockContext::_invoke_block(void const*, void*) + 72
frame #12: 0x00007fff87568664 CoreFoundation`CFArrayApplyFunction + 68
frame #13: 0x00007fff95acfbad CFNetwork`RunloopBlockContext::perform() + 133
frame #14: 0x00007fff95acf998 CFNetwork`MultiplexerSource::perform() + 282
frame #15: 0x00007fff95acf7ba CFNetwork`MultiplexerSource::_perform(void*) + 72
frame #16: 0x00007fff8759ca01 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #17: 0x00007fff8758eb8d CoreFoundation`__CFRunLoopDoSources0 + 269
frame #18: 0x00007fff8758e1bf CoreFoundation`__CFRunLoopRun + 927
frame #19: 0x00007fff8758dbd8 CoreFoundation`CFRunLoopRunSpecific + 296
frame #20: 0x00007fff919dda59 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 278
frame #21: 0x0000000100002988 parseWebKit`main(argc=3, argv=0x00007fff5fbff5d8) + 4104 at parseWebKit.m:241
frame #22: 0x00007fff890385c9 libdyld.dylib`start + 1
frame #23: 0x00007fff890385c9 libdyld.dylib`start + 1</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>